summaryrefslogtreecommitdiff
path: root/sss_client
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2009-03-02 15:26:19 +0100
committerSimo Sorce <ssorce@redhat.com>2009-03-05 09:58:41 -0500
commit4013218cd8c9840ac6db1084bbdfa22f601bd3b8 (patch)
tree6e94bc12d427496fe49aa18469f4dc4755219a3d /sss_client
parentf9f42495c5ab22e17f7e59bd2df3f9353301d8b8 (diff)
downloadsssd-4013218cd8c9840ac6db1084bbdfa22f601bd3b8.tar.gz
sssd-4013218cd8c9840ac6db1084bbdfa22f601bd3b8.tar.bz2
sssd-4013218cd8c9840ac6db1084bbdfa22f601bd3b8.zip
added a privileged pipe
Diffstat (limited to 'sss_client')
-rw-r--r--sss_client/common.c17
-rw-r--r--sss_client/sss_cli.h14
2 files changed, 24 insertions, 7 deletions
diff --git a/sss_client/common.c b/sss_client/common.c
index 50aabff2..d0fb0118 100644
--- a/sss_client/common.c
+++ b/sss_client/common.c
@@ -29,6 +29,7 @@
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/un.h>
+#include <sys/stat.h>
#include <unistd.h>
#include <stdlib.h>
#include <stdint.h>
@@ -594,6 +595,7 @@ int sss_pam_make_request(enum sss_cli_command cmd,
{
int ret;
char *envval;
+ struct stat stat_buf;
/* avoid looping in the pam daemon */
envval = getenv("_SSS_LOOPS");
@@ -601,7 +603,20 @@ int sss_pam_make_request(enum sss_cli_command cmd,
return PAM_SERVICE_ERR;
}
- ret = sss_cli_check_socket(errnop, SSS_PAM_SOCKET_NAME);
+ /* only root shall use the privileged pipe */
+ if (getuid() == 0 && getgid() == 0) {
+ ret = stat(SSS_PAM_PRIV_SOCKET_NAME, &stat_buf);
+ if (ret != 0) return PAM_SERVICE_ERR;
+ if ( ! (stat_buf.st_uid == 0 &&
+ stat_buf.st_gid == 0 &&
+ (stat_buf.st_mode&(S_IFSOCK|S_IRUSR|S_IWUSR)) == stat_buf.st_mode)) {
+ return PAM_SERVICE_ERR;
+ }
+
+ ret = sss_cli_check_socket(errnop, SSS_PAM_PRIV_SOCKET_NAME);
+ } else {
+ ret = sss_cli_check_socket(errnop, SSS_PAM_SOCKET_NAME);
+ }
if (ret != NSS_STATUS_SUCCESS) {
return PAM_SERVICE_ERR;
}
diff --git a/sss_client/sss_cli.h b/sss_client/sss_cli.h
index 5445b5fa..1e19e5e2 100644
--- a/sss_client/sss_cli.h
+++ b/sss_client/sss_cli.h
@@ -19,6 +19,7 @@
* Also a change in one of the pipes will not affect the others */
#define SSS_NSS_SOCKET_NAME "/var/lib/sss/pipes/nss"
#define SSS_PAM_SOCKET_NAME "/var/lib/sss/pipes/pam"
+#define SSS_PAM_PRIV_SOCKET_NAME "/var/lib/sss/pipes/private/pam"
#define SSS_PROTOCOL_VERSION 0
@@ -121,12 +122,13 @@ enum sss_cli_command {
#endif
/* PAM related calls */
- SSS_PAM_AUTHENTICATE = 0x00F1,
- SSS_PAM_SETCRED = 0x00F2,
- SSS_PAM_ACCT_MGMT = 0x00F3,
- SSS_PAM_OPEN_SESSION = 0x00F4,
- SSS_PAM_CLOSE_SESSION = 0x00F5,
- SSS_PAM_CHAUTHTOK = 0x00F6,
+ SSS_PAM_AUTHENTICATE = 0x00F1,
+ SSS_PAM_SETCRED = 0x00F2,
+ SSS_PAM_ACCT_MGMT = 0x00F3,
+ SSS_PAM_OPEN_SESSION = 0x00F4,
+ SSS_PAM_CLOSE_SESSION = 0x00F5,
+ SSS_PAM_CHAUTHTOK = 0x00F6,
+ SSS_PAM_CHAUTHTOK_PRELIM = 0x00F6,
};